This class is the base class for all of the supplied authentication adapters. This class takes care
of the password hash generation and session management, including the autologin function.

Available options are:

encryption.hash – default: sha256
The hash algorithm to use to encrypt passwords. This can be a a single algorith, such
as sha256, sha1 or any other algorithm supported by the PHP hash() function. You can use the hash_algos()
function to get a list of available algorithms. Any unsupported algorithms are silently ignored.

This option can also be an array of algorithms. In which case each one will be applied in the order
specified. During each iteration the hash will be appended with the original password (this helps prevent
hash collisions) along with any salt value (see below) before being hashed with the next algorithm.

The default is sha256 for security. Please note that this breaks backwards compatibility with the 1.0
version of this module.

Configuration Directives

encryption.count – default: 1
For extra obfuscation, it’s possible to “hash the hash” this many times. This is the old method we used
to add extra security to the hash, except we now also append the original password to the hash before
hashing it. (too much hash?). In the case where the encryption.hash is a list of algorithms, each one
of these will be applied as above for each count. So for example, if you have a list of 3 algorithms
and the count is 3, your password will be hashed 9 times.

encryption.salt – default: null
For more security a salt value can be set which will be appended to each password when being hashed. If
the password is being hashed multiple times then the salt is appended to the hash + password.

autologin.period – default: 1
This is the period in which the autologin cookie will remain active (ie: will expire after this many
days). The default is one day.

autologin.hash – default: md5
This is the hash algorithm used to encrypt the token placed in the cookie in the user’s browser
session. This data is hashed to ensure that it can not be manipulated by the user.

token.hash – default: md5
The token hash is the value stored in the session cache and is used to confirm that a user
account is authenticated. As an added security measure we apply a hash to this value so that plain
test passwords will never be stored in the session cache, even if there is no password encryption chain.

timeout – default: 3600
For a standard login, this is the session expirey timeout. Basically this is the maximum time in which
a session will ever be active. If autologin is being used, then it is quite common to set this to a low
value to allow the user to be re-authenticated with the autologin token periodically.

This is now more often used as a cache timeout value because on logon, certain data is obtained for a user
and stored in cache. Sometimes obtaining this data can be processor intensive so we don’t want to do it
on every page load. Instead we do it, cache it, and then only do it again once this time passes.

This is useful for checking an account password before allowing something important to be updated.
This does the same steps as authenticate() but doesn’t actually do the authentication.

Parameters

$credential

mixed

No description

Returns

boolean

deauth()

deauth()

get()

get($key)

Parameters

$key

No description

getAutologinCookieName()

getAutologinCookieName()

getCredential()

getCredential($credential = null) : \null|string

Get the encrypted hash of a credential/password

This method uses the “encryption” options from the application configuration to generate
a password hash based on the supplied password. If no password is supplied then the
currently set credential is used.

NOTE: Keep in mind that if no credential is set, or it’s null, or an empty string, this
will still return a valid hash of that empty value using the defined encryption hash chain.